No quiet before the storm with this year’s WWDC. After macOS 10.14.5 and iOS 12.3 dropped last week, we got new MacBooks Pro with a decent speed bump this week. Their keyboard only got minor changes, but Apple has also announce a Keyboard Service program.

MacAdmins on Twitter

Timo Perfitt: “If you are interested in the Twocanoes MDS slides, exercises, or links from my roadshow, this tweet is for you! https://t.co/AZ8rJcafCD”

tlark: “Want to try to get rid of Adobe products? It may not be possible, but there are alternatives… ”

Edward Marczak: “Or you can go all in and just not allow 32-bit execution: sudo nvram boot-args="-no32exec"… ”

John C. Welch: “I was just thinking, at random about Macworld Expo, and I realized why its end, and the end of end-user/consumer-focused computer shows in general are a bad thing. What happens when all computer shows are for devs or industry “insiders”?” (Long thread)

This Monday, macOS 10.14.5 (and all the related updates) dropped. The timing was surprising, but became clearer when the news on a new group of Intel CPU vulnerabilities arrived as well.

10.14.5 brings some mitigations to these vulnerabilites, but to be sure, you would have to disable Hyperthreading on your CPU(s) which brings up to 40% performance hit.

With 10.14.5 the new notarization rules for applications and kernel extensions arrive as well. All of this is once again demonstrating the importance (and the challenges) of IT being able to quickly roll-out and support system updates.

Tweets

Jason Broccardo on Twitter: “#macadmins n.b. the both the 10.14.5 and iTunes Device Support Update updates have trailing spaces when you are looking at the CLI softwareupdate listing. If you want to CLI install you’ll need to account for that.”

Marnin: “When using the Time Server payload on earlier version of macOS 10.14, the time zone was not getting set properly.”

Ken Case: “Today Apple released macOS Mojave 10.14.5, which fixes a CoreAnimation drawing issue that was affecting customers using large OmniOutliner and OmniPlan documents. If you’re a Mac customer using Mojave, I strongly recommend updating!”

MacAdmins on Twitter

Caleb Coy: “Was just reminded that the #macadmins Slack community turns 4 this weekend. I don’t know about y’all, but a lot has happened for me in that time and having this community has helped so much.”

Timo Perfitt: “Interesting that the additional recovery partition key combos are only available if you have installed 10.12.4 or later at least once.”

Adam Codega: “A configuration profile is never late. Nor is it early; it arrives precisely when it means to.”

Kitzy: “macOS Mojave 10.14.5 has been out for over 48 hours now. Still no sign of it in Jamf’s patch management. It’s frustrating that Jamf finally got the mechanics of patch management down but crippled it by making us all rely on Jamf for patch definitions that are slow to update.”

Ricky Mondello: “Did you know that you can drag Safari’s Downloads popover by its title into being a detached, free-standing window, so you can more easily monitor your long-running downloads?”

Someone on the MacAdmins Slack recently asked how you could assign a global keyboard short cut to open Terminal on macOS.

Note: alternative terminal applications such as iTerm2 may have this built-in.

macOS has an option to assign custom global keystrokes to pretty much anything, but it is not obvious how to get there.

First, open the Automator application. In the chooser for a new Workflow, choose ‘Quick Action’ (on Mojave) or ‘Service’ on earlier versions of macOS.

The new Workflow chooser in Mojave

In the new workflow configure the input to be ‘no input’ and the application to be ‘any application.’

Then search for ‘Launch Application’ action in the library pane on the left and add it to your workflow by double-clicking or dragging.

The popup menu where you can slect an application in the action will only show applications from the /Applications folder. Choose ‘Other…’ and select Terminal in the ’/Applications/Utilities` folder.

Configure your workflow

Save the workflow. Give it a meaningful name such as ‘Open Terminal.’ Since you chose Quick Action or Service, this workflow will be saved in ~/Library/Services.

Open System Preferences > Keyboard. Click the ‘Shortcuts’ tab and select ‘Services’ from the list on the left side. (Even on Mojave, it is still called ‘Services’.)

Scroll all the way down the list of services under the ‘General’ heading, you should find the service you just created. Select it and click ‘Add Shortcut’ to assign a global shortcut.

Keyboard Shortcut Preferences

You are done!

When the active application uses the same keystroke, the application’s definition will precede your global shortcut.

Of course, you don’t have stop at launching applications. You can assign a global keyboard shortcut to any Automator workflow this way. Since Automator workflows can include AppleScript, Python or shell scripts, you can do pretty much anything this way!

However, most Apple users don’t bother with shortcuts to launch apps. Just invoke Spotlight with command-space and start typing term and hit return.

More 10.15 and iOS13 rumors (or previews), Microsoft goes Terminal and open source and leaks the Chromium-based Edge browser for Mac, Mac admins continue to explore the effects of the 10.14.5 notarization requirements, and Adobe ‘unauthorizes’ old versions.

The point of this class is to overcome the first hurdles of a very daunting and complex topic. You will learn the basics of bash scripting (and debugging). The goal you can start scripting and gain experience on your own, without getting into too much trouble. The class is designed specifically for Mac adminstrators, so most of the examples and exercises will have direct application for Mac system management. You will learn both scripting and some useful adminstration tools.

Later, we will also offer an “Advanced Scripting macOS” class, that builds on the first, which will go deeper and address more complex topics.

The Scripting classes are designed and held by myself. I do have to thank the entire team at Pro Warehouse for the amazing effort everybody put in to make this happen.

The Scripting classes (and our other management classes) will be offered in our new training facility at the Pro Warehouse offices in Amsterdam! Classes will be offered in English, so international participants are welcome!

Typography is a wonderful art and has a long history. When humans turned from manual typesetting to machines, type writers and then computers, some compromises had to be made. One of these compromises was to use simple straight quote symbols for opening and closing the quote, rather than different quote symbols for opening and closing.

Note: which kind of quotes are used for opening and closing dependent on the language or and some convention. English uses upper quotes “…”, German opens with a lower quote: „…“, French uses ‘guillemets:’ «…», and Japanese uses hooks: 「…」

Quotation Marks have funny names in many languages. Germans call them “Gänsefüßchen,” or “little goose feet.”

macOS, iOS and other modern operating systems have a feature which replaces the simple or straight quote symbols with the typographic quotes. So, you type "Hello!" and the quotes are automatically replaced with the proper (depending on localization) typographic quotes. This is called “smart quotes.”

This is pretty nice, but can be troublesome when dealing with Terminal and text editors. Scripting languages and shells always use straight quotes, and cannot deal with typographic quotes.

Now, if someone sends you a command or a script that uses quotes, and it goes through an app that replaces them with smart quotes, then bash and Terminal will fail miserably.

There is not much you can do, other than be aware of this and check pasted code carefully. There is something you can do to make this easier, though.

The default monospace font used in Terminal on macOS are ‘Menlo’ or ‘SF Mono,’ depending on the macOS version. Now these are fine typefaces, but their typographic quotes are not very curly at all, making them very hard to distinguish from the ‘dumb’ straight quotes that Terminal expects. The classic ‘Monaco’ typeface on the other hand has beautiful curly typographic quotes, making them very distinct from the the straight quote.

My favorite mono space typeface ‘Source Code Pro’ also has nice curly typographic quotes. I have built this table with many common monospace typefaces and their quotes.

Quotation Mark Comparison

Now this shouldn’t be your only criteria in choosing your Terminal font, but it may be something that helps avoid quote errors.

The big news this week was that Apple has started removing certain iOS applications which allow fine-grained parental controls for their children’s iPhones and iPads. The first post on this in the New York Times speculated that Apple was removing products that compete with Screen Time. However, Apple clarified that these companies are using MDM (Mobile Devices Management servers) to get the features, which is a “guideline violation.”

Since this discussion involves MDM, I believe it is very relevant to Mac and iOS administrators.

You could discuss whether these services should be using MDM to get the feature set their customers desire. You could have (the ever repeating) discussion on how Apple reverses years’ worth of approvals because they now suddenly realize the app has been in violation all along. You could question how fair and reasonable the 30 days ultimatum for an updated app without MDM was, since there is no other API with a similar feature set, and how well the ultimatum was communicated.

But I want to point out that MDM enrollment, both on iOS and macOS, has to be manually initiated the user, and approved with a passcode. This required user approval, is a big hurdle for automated delpoyments, something which administrators are longing for.

The workaround for this, according to Apple is Automated Device Enrollment (formerly known as DEP) where the chain of possession from Apple, through a reseller, to the purchasing organisation is proven and logged in Apple’s servers. Even with DEP, user approval of the management features is necessay at first boot.

There have been cases where malware has installed MDM profiles on iOS and Macs and supposedly user approval should protect from these cases. Yet, when a service or application, which promises a solution the user desires, asks for approval, the user will click anything.

Users are trained to approve these security dialogs. The more dialogs the system throws at the user, the more they are trained to quickly approve and authorize them without really reading or understanding. Too much user approval can be detrimental to its purpose.

MDM servers need certificates from Apple to work. They need to register with the push notification service to communicate with the clients. The client applications that are distributed through the iOS and Mac App Stores, need developer certificates from Apple.

Apple would have many options to control and block malicious actors in this field without hurting legitimate services and administrators seeking automation.

🐦MacAdmins on Twitter

mikeymikey: “Different techniques, different goals. Internet recovery has been modified multiple times over the years (example change in 10.12.4), whereas netboot was a device independent standard that would have needed a total overhaul for Secure Boot.”

Steve Troughton-Smith: “Just 35 days to WWDC! 35 days to iOS apps on the Mac, 35 days to multi-window iPad homescreen revamp, 35 days to Dark Mode on iOS”

Steve Troughton-Smith: “Dashboard isn’t the only thing gone in 10.15 — so is 32-bit app & plugin support, Carbon, Ink, QuickTime 7 & QuickTime plugins, PPTP, and hardware RAID. You will get Python 3.7 and Ruby 2.6, at least” (Python 3 alongisde the soon-to be EOL’ed Python 2.7 would be good news.)

I am traveling with just my iPad this week, so this is the first time that I am assembling the newsletter entirely on iOS. It has been an interesting challenge. I built a shortcut which copies a page from Safari in Markdown format, something that Byword on Mac does automatically on drag’n drop, but Byword on iOS does not.

If there are any errors or differences in this week’s newsletter because of that, please be tolerant. Since I am traveling and somewhat distracted, there may have been a post or news that I missed. Please tell me and I will add it next week! (Contact info at the end of the letter.)

Joe Bourne: “Support for OS X Mojave has come to Azure Pipelines hosted agents and it includes Xcode 10.2! If you’re using the ‘Hosted macOS’ pool, your pipelines will already start running on Mojave. YAML customers can use ‘macos–10.14’ for their pool VM Image (Link)”

Rich Trouton: “If you’re a user of First Boot Package Install, there’s a new version available. Same great functionality, but now it’s signed and notarized!”

Thomas Reed: “Think Macs can’t get infected with malware? Or that they only get infected with adware and junk software? Think again. Here’s a story involving supply chain attacks, millions of dollars stolen… and Mac malware.”

Tim Perfitt: “Adding Munki server and automatic munki client provisioning into MDS 1.7. Also added MunkiAdmin to the toolbar so you can setup, manage and deploy Macs using MDS + Munki without ever touching the command line.…”

Many thanks again to all those who put a lot of effort into making MacADUK 2019 the great conference it was. Also thanks to the attendees with all their great feedback and applause. See you all again next year!